Bug#28569645: SQL INJECTION ON SLAVE DUE TO NON-QUOTING IN

Arun Kuruvila · Arun Kuruvila · commit 3dadc9558507 · 2018-10-08T14:16:23.000+05:30
BINLOGGED ROLLBACK TO SAVEPOINT

Description: SQL injection is possible on slave due to
incorrect binlogging of 'ROLLBACK TO SAVEPOINT' statements.

Analysis: Whenever an identifier is written to binary log,
it should be properly quoted to prevent any SQL injection
on the slave. For binlogging of 'ROLLBACK TO SAVEPOINT'
statements, this is correctly fixed on 5.5 by the patch
for Bug#14548159, but the fix is missing from 5.6+.

Fix: Added proper binlogging for 'ROLLBACK TO SAVEPOINT'
statements.
diff --git a/sql/binlog.cc b/sql/binlog.cc
@@ -1860,11 +1860,19 @@ static int binlog_savepoint_rollback(handlerton *hton, THD *thd, void *sv)
   if (trans_cannot_safely_rollback(thd))
   {
     String log_query;
-    if (log_query.append(STRING_WITH_LEN("ROLLBACK TO ")) ||
-        log_query.append("`") ||
-        log_query.append(thd->lex->ident.str, thd->lex->ident.length) ||
-        log_query.append("`"))
+    if (log_query.append(STRING_WITH_LEN("ROLLBACK TO ")))
       DBUG_RETURN(1);
+    else
+    {
+      /*
+        Before writing identifier to the binlog, make sure to
+        quote the identifier properly so as to prevent any SQL
+        injection on the slave.
+      */
+      append_identifier(thd, &log_query, thd->lex->ident.str,
+                        thd->lex->ident.length);
+    }
+
     int errcode= query_error_code(thd, thd->killed == THD::NOT_KILLED);
     Query_log_event qinfo(thd, log_query.c_ptr_safe(), log_query.length(),
                           TRUE, FALSE, TRUE, errcode);
